A medical student who copied the private data of 87 patients onto a memory stick – and then lost it – has landed the University Hospital of South Manchester in trouble with the Information Commissioner's Office (ICO).
The ICO ruled today (7 September) that the South Manchester hospital breached the Data Protection Act by letting …

COMMENTS

Blame

I don't see how this was the hospitals fault, they had a system in place to only allow the use of approved memory sticks. If the student was stupid enough to think that making a copy of that data was OK then I don't want that student to become a doctor.

Things can only get better

As HM.Gov managed to use a bit of a nutter and then sexist taunting to mask the NHS carve-up we can only expect more of this to happen. Less medical staff and more contractors with less checks on security.

As contracts come and go where will the data be held and who will be holding it?

Happens all the time

Medical students have to produce continuous case reports and audits of patients to get their degrees but they will often submit these after they have finished a placement and possibly moved to another hospital which could quite literally be 100 miles from the last one depending on your medical school. Hence data gets copied.

Students are told that data must be anonymous which is fine if you don't need to compare results say before and after an operation in which case you need at least the patients name and DOB in your records. That may be fine when you're in hospital and can use the NHS encrypted sticks but what happens when you leave your patients or need to work on things at home (you do because absolutely zero time at work is given for things like audits which A are good for hospitals and improving outcomes and B are essential to get you a job since points based scoring was introduced).

Do the university provide encrypted data sticks for home use/advise on encrypting your laptop? I thought not in which case student/trainee is in a catch 22. Don't do it and you don't get a job or degree or do it and risk data loss which you are told not to do.

The data in this case was probably names, DOB and outcomes of operations. Probably not sensitive data in the case of hand operations but there are certainly a lot of diseases and problems where this would be embarrassing to any patients where their details were released.

Re: Happens all the time

Anonymised data

Anonymised does not mean randomised. There are plenty of tools and techniques out there to allow live patient/customer databases to be anonymised without ruining the continuity of things like patient records. These should routinely be used whenever data is extracted for research use - this is why the hospital is at fault. They should not put students in a position whereby they can make such cock-ups.

Sad, really. This isn't difficult, yet NHS IT cannot even get these basic things right. Remind me who it is all outsourced to, again?

re: Anonymised data

This is almost certainly not a research paper but a Uni assignment and sadly a med student doesn't get access to software to make the sort of databases you describe as the typical hospital computers they will have access to are the ones used by the doctors to type up letters and check on scan results.

In one word

Pseudonymisation. The NHS has spent a helluva lotta cash and person-hours (sorry to be so PC but I'm posting under my real name) trying to ensure that if you do have to use data for research and audit, and totally anonymous data (ie with all personalised detail removed) won't do, it's passed through a preudonymisation process to generate a unique ID that can specify an individual without identifying them.

A bit like sesion cookies. Same UID, different date of contact - we now have pre- and post-op comparisons. The muppet (rethinking posting under my own name) med student only needed this, instead of name and dob, and age at operation instead of dob.

Our experience is that doctors don't give a rat's arse for information governance (really unsure about posting under my own name) or Caldecott principles or anything else that they need to comply with because they think they are this big (holds arms wide) and that the NHS is this big (holds thumb and forefinger an infinitessimal distance apart) whereas the truth is the other way around. (Nope, Deffo 'anonymous coward' for me - I have to work with these types)

@Tom Melly

hmmm

You can only go so far telling people. It looks like the Trust did the right thing by giving the student a encrypted stick, but then needed/wanted it back when said student left the employee of that Trust, which is fair enough.

The issue is that we have doctors & med students etc milling around the NHS and being employed by different Trusts.

What the outside world does not realise is that the NHS is not like Tesco, with a head office and branches. Each trust is a separate "company", and that when someone moves between trusts, it is like moving from Tesco's to Asda.

The only way to prevent this is for either the NHS centrally, the Universities to take on some of the data protection responsibility, or for the individuals involved.

I don't see in this case how it's the Trust's fault. They could have told this guy a thousand times and he still would have "stole" the data.

Trusts still no good

Unless they provide encrypted data sticks that the medical staff can take and use at home then they're failing. Doctors are required (some times as part of their training but usually by virtue of not getting their next job in 2 years time otherwise) to do audits and write up presentations.

When its med students it really should be the Unis that are taking the responsibility for making sure they give their students a way to safely move data about but good luck getting them to recognise the issue.

A suggestion to the Information Commissioners Office

On Medical Students

We have tried telling them, we have tried not-quite-patronising interactive training with a shiny certificate at the end of it, we have cajoled, coaxed, threatened and beseeched them not to remove unencrypted patient data from NHS premises.

We have warned them of the possible consequences of failure as this is not just another Trust Policy but the law of the land!

All to no avail.

Medical students tend to regard absolute rules and laws as, at best, guidelines, applicable to the common herd of course, but not to them personally.

If Healthcare Trusts are to be fined for the idiocy of students, then same Trust should have the right to Beat Them With a Stout Stick.

It will give the F1's on A&E rotation something to practice on. (And possibly learn a valuable lesson?)